These are not core files. I’ve looked at them and the malicious code is really similar to what I’ve sent you already. However, for some reason, it goes unnoticed.
When I come back home I send you another zip with the stuff. I think this is just the same self-modifying or random generated code, but somehow it passes the detection patterns.
@quttera The hash display is fine when Quttera detects a “true” threat (red box). So the issue only happens when it detected something by using heuristics.
It looks like in the case of heuristics, it does not read and hash the file so it just copy-n-paste the original file hash, which is misleading.
Sucuri found another file that AMS did not detect and Quttera (in my opinion) only finds via heuristics (shows as warning) but not by precise signature.
This time AVG did not show it as infected either! Despite the clear “malicious header code” prepended at the top of the original file comments.
I am going to send it to both of you. Yes, I am really deep in this “stuff”.
By the way, @quttera keeps showing File signature == threat signature. Shouldn’t the original file signature have a hash code different from the infected file?
This reply was modified 3 years, 4 months ago by dfumagalli.
This reply was modified 3 years, 4 months ago by dfumagalli.
This reply was modified 3 years, 4 months ago by dfumagalli.
This reply was modified 3 years, 4 months ago by dfumagalli.
Since I really had to put the website back online (600+ paying fixed service users must use it every day) I deleted the affected plugin, so the persistent infection got away.
However, every day since then, the website gets infected again, so “something” is still in. Does not help that I completely deleted WordPress, plugins themes, reinstalled everything and in 3-5 hours it becomes infected again. This, despite I have installed:
Alone, in combinations and (ATM) all 4 together. The hack just goes through like an hot knife in butter.
Does not help that the users must log in, so I cannot hide wp-login and so on.
PS. @quttera I also used your online scan and it finds 4 suspicious files. However they are 4 CSS files with legit Thrive Themes code, so I suspect it’s a false positive.
I’ve just found out one last trick of this infection: it uploaded a zipped fake plugin in the media uploads directory and inside it there was (also) an obfuscated infector.
Neither your antivirus nor Quttera found it, but when I backed up the “supposedly cleaned up” website and tried to download it on my main computer, my AVG antivirus blocked the download and pointed out at the infected file inside the zip file.
.
Apparently in the future you need to also unzip compressed files to look for infections.
This reply was modified 3 years, 4 months ago by dfumagalli.
This reply was modified 3 years, 4 months ago by dfumagalli.
This reply was modified 3 years, 4 months ago by dfumagalli.
Had to downgrade to 1.2.3 as well, because the latest version is completely broken. All my pages became “super compact plain text” with no newlines, all formatting and links lost.
I reinstalled the old version and everything is back.
I have asked the customer for an online appointment to do that. I cannot operate on the website in a disruptive way at the moment. When we’ll meet and do the tests you ask, I’ll get you updated.
